Insights: Article

What You Don't Know: Common IT problems for Community Banks

By Bob Hickok

February 08, 2019

Many banks rely heavily on a third party for their IT work, which is understandable given their resources. However, banks or their security testers also need to know how to check on that third party’s work, and that is often where the gaps exist.

Common Scenarios
An example of this we’ve seen at many banks is with security cameras and security access systems, particularly if the bank has gone through a replacement of their security systems through a building project or acquisition. Many times, those cameras and/or locks are easily accessed by unauthorized people, because while the security system vendors may or may not have created user logins for the bank to use, they often leave the admin accounts at default or leave the admin passwords blank. In one instance, it took us about a minute total to scan the $300 million bank’s network with a free tool and find and access some interesting devices with a web browser. We then put the brand and model number into Google and found the default admin user and password, which allowed us to log in with complete administrator access. The security officer at the bank had told by the security company that the devices were not accessible from anywhere except at their PCs using a special program. They were understandably frustrated with and grateful for our discovery.

Software patching also continues to be a problem at many banks, especially when a third party is responsible for it. Patching problems include Microsoft apps and Windows itself, but it is also a big problem in non-Microsoft apps like Java, Adobe Reader, Adobe Flash Player and others that we use when surfing the web. The vulnerabilities in these apps have been exploited in most of the biggest breaches we’ve heard about worldwide in the past decade.

Other Systems at Risk
There are also other types of systems for which vendor default credentials are frequently left in place, making unauthorized access to systems and data a simple matter. These can include storage systems, scanners, phone systems, network switches and routers, among others. Access to these systems could give a person the power to delete all the bank’s data storage. Smart TVs or electronic signs can also be hacked easily, giving someone the chance to display malicious content in offices or outdoor signs followed by changing the password and locking out the owner of it.

Gain Peace of Mind
Carefully performed vulnerability assessments and security testing can help you know that your bank is getting its money’s worth from IT investments. The goal of such an assessment is not to question or challenge the relationship you have with your vendors, but rather to help you gain confidence that your technology and information is being handled in the safest possible manner.

Cybersecurity Risk Assessment

We are pleased to offer this risk assessment to assist your financial institution in measuring inherent risk and cybersecurity maturity. This questionnaire is designed to help your organization understand baseline requirements for mitigating cybersecurity risks and evaluate additional controls as your organization matures in size and complexity.

Latest Insights

January 31, 2019
Article
The push for the passage of bill S.2155, the Economic Growth, Regulatory Relief, and Consumer Protection Act, was inspiring—so many in the industry joined together to right the perceived wrongs of the Dodd Frank Act.
January 30, 2019
Article
What are the pros and cons of banks considering a switch to a C corporation? We talked to Justin Horst, CFO of Pinnacle Bancorp Inc. of Nebraska, the second largest S corporation financial holding company in the United States, to talk about what his…
January 30, 2019
Article
Steadily increasing interest rate risk reviews offer a view into current trends related to IRR management. Here are some common enhancements to consider.
January 17, 2019
Article
Eide Bailly recently sat down with Bill Stovall, CEO of Community National Bank in Texas, to hear his thoughts on the current state of the banking industry.
January 11, 2019
Article
Is a social media account, such as LinkedIn, a personal account? Does your financial institution’s Acceptable Use policy address the use of social media for work-related business?
January 3, 2019
Tool
The 2018-2019 Pocket Tax Guide provides a quick view of tax updates, current rates and new tax law summaries for business, estate, general and individuals. It has been designed to be compact and folded into a pocket sized pamphlet.
Find A Location